Commit 75281c9c authored by Alexander Schnitzler's avatar Alexander Schnitzler Committed by Helmut Hummel
Browse files

[!!!][SECURITY] Add CSRF Protection for tce_file.php

Add a token check in tce_file.php and token generation
everywhere forms for or links to tce_file.php are created.

Additionaly make sure, an instance of ExtendedFileUtility
is created in FileController on initialization to prevent
a fatal "Call to a member function on a non-object" error
in FileController::finish.

Releases: 6.2
Resolves: #55515
Change-Id: Ifd585661ac2cac6c88eaca5ad63b447d27e35395
Reviewed-on: https://review.typo3.org/27691
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
parent b5d82de8
......@@ -934,7 +934,7 @@ class ClickMenu {
} else {
$conf = '1==1';
}
$editOnClick = 'if(' . $loc . ' && ' . $conf . ' ){' . $loc . '.location.href=top.TS.PATH_typo3+\'tce_file.php?redirect=\'+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+\'' . '&file[delete][0][data]=' . rawurlencode($path) . '&vC=' . $GLOBALS['BE_USER']->veriCode() . '\';}hideCM();';
$editOnClick = 'if(' . $loc . ' && ' . $conf . ' ){' . $loc . '.location.href=top.TS.PATH_typo3+\'tce_file.php?redirect=\'+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+\'' . '&file[delete][0][data]=' . rawurlencode($path) . '&vC=' . $GLOBALS['BE_USER']->veriCode() . BackendUtility::getUrlToken('tceAction') . '\';}hideCM();';
return $this->linkItem($this->label('delete'), $this->excludeIcon(IconUtility::getSpriteIcon('actions-edit-delete')), $editOnClick . 'return false;');
}
......@@ -1056,7 +1056,7 @@ class ClickMenu {
public function dragDrop_copymovefolder($srcPath, $dstPath, $action) {
$editOnClick = '';
$loc = 'top.content.list_frame';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+"tce_file.php?redirect="+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+"' . '&file[' . $action . '][0][data]=' . $srcPath . '&file[' . $action . '][0][target]=' . $dstPath . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . '";}hideCM();top.nav.refresh();';
$editOnClick = 'if(' . $loc . '){' . $loc . '.document.location=top.TS.PATH_typo3+"tce_file.php?redirect="+top.rawurlencode(' . $this->frameLocation(($loc . '.document')) . '.pathname+' . $this->frameLocation(($loc . '.document')) . '.search)+"' . '&file[' . $action . '][0][data]=' . $srcPath . '&file[' . $action . '][0][target]=' . $dstPath . '&prErr=1&vC=' . $GLOBALS['BE_USER']->veriCode() . BackendUtility::getUrlToken('tceAction') . '";}hideCM();top.nav.refresh();';
return $this->linkItem($this->label($action . 'Folder_into'), $this->excludeIcon(IconUtility::getSpriteIcon('apps-pagetree-drag-move-into')), $editOnClick . 'return false;', 0);
}
......
......@@ -194,6 +194,7 @@ class CreateFolderController {
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:file_newfolder.php.submit', TRUE) . '" />
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:labels.cancel', TRUE) . '" onclick="backToList(); return false;" />
<input type="hidden" name="redirect" value="' . htmlspecialchars($this->returnUrl) . '" />
'. \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction') . '
</div>
';
// CSH:
......@@ -229,6 +230,7 @@ class CreateFolderController {
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:file_newfolder.php.newfile_submit', TRUE) . '" />
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:labels.cancel', TRUE) . '" onclick="backToList(); return false;" />
<input type="hidden" name="redirect" value="' . htmlspecialchars($this->returnUrl) . '" />
'. \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction') . '
</div>
';
// CSH:
......
......@@ -171,6 +171,7 @@ class EditFileController {
<textarea rows="30" name="file[editfile][0][data]" wrap="off"' . $this->doc->formWidthText(48, 'width:98%;height:80%', 'off') . ' class="fixed-font enable-tab">' . GeneralUtility::formatForTextarea($fileContent) . '</textarea>
<input type="hidden" name="file[editfile][0][target]" value="' . $this->fileObject->getUid() . '" />
<input type="hidden" name="redirect" value="' . htmlspecialchars($hValue) . '" />
'. \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction') . '
</div>
<br />';
// Make shortcut:
......
......@@ -91,6 +91,7 @@ class FileController {
$this->vC = GeneralUtility::_GP('vC');
$this->redirect = GeneralUtility::sanitizeLocalUrl(GeneralUtility::_GP('redirect'));
$this->initClipboard();
$this->fileProcessor = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Utility\\File\\ExtendedFileUtility');
}
/**
......@@ -121,7 +122,6 @@ class FileController {
*/
public function main() {
// Initializing:
$this->fileProcessor = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Utility\\File\\ExtendedFileUtility');
$this->fileProcessor->init($GLOBALS['FILEMOUNTS'], $GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']);
$this->fileProcessor->setActionPermissions();
$this->fileProcessor->dontCheckForUnique = $this->overwriteExistingFiles ? 1 : 0;
......
......@@ -188,6 +188,7 @@ class FileUploadController {
$content .= '
<div id="c-submit">
<input type="hidden" name="redirect" value="' . $this->returnUrl . '" /><br />
'. \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction') . '
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:file_upload.php.submit', TRUE) . '" />
</div>
';
......
......@@ -167,6 +167,7 @@ class RenameFileController {
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:file_rename.php.submit', TRUE) . '" />
<input type="submit" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:labels.cancel', TRUE) . '" onclick="backToList(); return false;" />
<input type="hidden" name="redirect" value="' . htmlspecialchars($this->returnUrl) . '" />
'. \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction') . '
</div>
';
$code .= '</form>';
......
......@@ -877,7 +877,7 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
$confirmationCheck = '1 == 1';
}
$removeOnClick = 'if (' . $confirmationCheck . ') { top.content.list_frame.location.href=top.TS.PATH_typo3+\'tce_file.php?file[delete][0][data]=' . rawurlencode($fileOrFolderObject->getCombinedIdentifier()) . '&vC=' . $GLOBALS['BE_USER']->veriCode() . '&redirect=\'+top.rawurlencode(top.content.list_frame.document.location.pathname+top.content.list_frame.document.location.search);};';
$removeOnClick = 'if (' . $confirmationCheck . ') { top.content.list_frame.location.href=top.TS.PATH_typo3+\'tce_file.php?file[delete][0][data]=' . rawurlencode($fileOrFolderObject->getCombinedIdentifier()) . '&vC=' . $GLOBALS['BE_USER']->veriCode() . BackendUtility::getUrlToken('tceAction') . '&redirect=\'+top.rawurlencode(top.content.list_frame.document.location.pathname+top.content.list_frame.document.location.search);};';
$cells['delete'] = '<a href="#" onclick="' . htmlspecialchars($removeOnClick) . '" title="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:cm.delete') . '">' . IconUtility::getSpriteIcon('actions-edit-delete') . '</a>';
} else {
......
......@@ -2359,6 +2359,7 @@ class ElementBrowser {
. '&expandFolder=' . rawurlencode($folderObject->getCombinedIdentifier())
. '&bparams=' . rawurlencode($this->bparams);
$code .= '<input type="hidden" name="redirect" value="' . htmlspecialchars($redirectValue) . '" />';
$code .= \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction');
$code .= '
<div id="c-override">
<label><input type="checkbox" name="overwriteExistingFiles" id="overwriteExistingFiles" value="1" /> '
......@@ -2422,6 +2423,7 @@ class ElementBrowser {
. '&expandFolder=' . rawurlencode($folderObject->getCombinedIdentifier())
. '&bparams=' . rawurlencode($this->bparams);
$code .= '<input type="hidden" name="redirect" value="' . htmlspecialchars($redirectValue) . '" />'
. \TYPO3\CMS\Backend\Form\FormEngine::getHiddenTokenField('tceAction')
. '<input type="submit" name="submit" value="'
. $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:file_newfolder.php.submit', TRUE) . '" />';
$code .= '</td>
......
......@@ -37,5 +37,10 @@
require __DIR__ . '/init.php';
$fileController = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\File\\FileController');
$fileController->main();
$fileController->finish();
$formprotection = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get();
if ($formprotection->validateToken(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('formToken'), 'tceAction')) {
$fileController->main();
}
$fileController->finish();
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment